Vit Mojzis wrote:
> To answer your last question, it would be better to solve this without
> adding new rules.
> Try changing the context of /var/lib/ssh-x509-auth/ directory to
> var_auth_t (sshd already has write access to it).
> #chcon -R -t var_auth_t /var/lib/ssh-x509-auth/
>
> If this solves the issue, please file a bug so that we can change the
> context permanently.
Hi. Thanks.
I didn't remember which box this was on - that turned out to be the third
CentOS 7 box I looked at... and *both* of the other two where var_auth_t.
I changed the context, and logged in as myself, and it seems to not be
complaining now. So I'm not sure how it wound up with the wrong
context....
Btw, two things: a) no, I didn't want to run chcon, I wanted semanage
fcontext... and b) and this *is* a redhat thing, the manpage for semanage
has changed from the one in 6, and it's much shorter, does not list the
options, and has *no* examples. I had to do a man semange on a 6 box to
get the manpage that gives *examples*, like semanate fcontext -m -t
var_auth_t "/var/lib/ssh-x509-auth(/.*)?".....
mark
>
>
> ----- Original Message -----
> From: "m roth" <m.roth@xxxxxxxxx>
> To: "CentOS" <centos@xxxxxxxxxx>, "selinux"
> <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, April 26, 2016 5:31:16 PM
> Subject: username.pem
>
> Hi, folks,
>
> Our system gets/creates /var/lib/ssh-x509-auth/<username>,pem, then
> deletes it when the log out. selinux (in permissive mode) complains.
> First, I changed the context to cert_t, and *now* it complains that
> ksh93 wants write, etc access on the directory. grep ssh-x509-auth
> /var/log/audit/audit.log | audit2allow offers me this:
> #============= sshd_t ==============
> allow sshd_t cert_t:dir write;
> allow sshd_t var_lib_t:file { write getattr create open ioctl };
>
> So: first, is this an expected behavior; second, is that the correct
> fcontext, and, finally, is it safe for me to create this as a local
> policy?
>
> Thanks in advance.
>
> mark
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
